Wifi Concern at Hospital

[LazyDog]

Hola,
late summer, I have a procedure that requires me staying at the hospital from 4-6 week's. I am not sure weather to bring my note book computer that has all my financial records.

Will you feel safe about using the hospital wifi?

 

[dogememe]

Sure, why not?

 

[OVERKILL]

This is a scenario where I'll use my work VPN (which is full-tunnel, not split-tunnel) so that all traffic going to/from my device is encrypted and I know where my DNS queries are going. This is the same approach I use in hotels.

 

[JohnnyG]

I've done it, no issues. Same as dentist office, grocery store, etc.

 

[Quattro Pete]

Is using your mobile phone as a hot spot an option, if you don't trust hospital's wifi?

I think I would be more worried about having the laptop physically stolen.

 

[y_p_w]

Any banking service these days will use pretty much unbreakable encryption. I'd think the only worries would be about keystroke loggers that might have been surreptitiously loaded.

 

[LazyDog]

Is using your mobile phone as a hot spot an option, if you don't trust hospital's wifi?

I think I would be more worried about having the laptop physically stolen.

Having the laptop can be a possibility

 

[tmorris1]

Having the laptop can be a possibility

Use a VPN

 

[BobsArmory]

Yep. A VPN like Mullvad or Proton will do you right. But you also have to worry about some snatching the computer. Just be careful.

 

[OVERKILL]

Any banking service these days will use pretty much unbreakable encryption. I'd think the only worries would be about keystroke loggers that might have been surreptitiously loaded.

DNS redirection is a problem (hence my comment about DNS). You get redirected to a site that looks like the site you want, you don't get a cert error, because the site has a legit cert, but the information you input goes to a nefarious actor.

This is one of the times a VPN makes sense IMHO, as you control where your DNS queries go. We use Cisco AnyConnect as our VPN client, but pretty much any SSL VPN will work (IPSEC is sometimes blocked).

 

[Leo99]

I hope your procedure goes well.

 

[LazyDog]

I hope your procedure goes well.

Thanks

 

[y_p_w]

DNS redirection is a problem (hence my comment about DNS). You get redirected to a site that looks like the site you want, you don't get a cert error, because the site has a legit cert, but the information you input goes to a nefarious actor.

This is one of the times a VPN makes sense IMHO, as you control where your DNS queries go. We use Cisco AnyConnect as our VPN client, but pretty much any SSL VPN will work (IPSEC is sometimes blocked).

I look carefully where it's going though, and typically I'll use the banking app on a mobile device.

 

[OVERKILL]

I look carefully where it's going though, and typically I'll use the banking app on a mobile device.

Yes, as long as you are vigilant it's probably OK, I just don't like taking chances, so I'll use my work VPN.

 

[y_p_w]

Yes, as long as you are vigilant it's probably OK, I just don't like taking chances, so I'll use my work VPN.

All the banking websites I use do quite a few of their redirects, but it's not that hard to look carefully at the URL. But I guess the big thing would be where maybe something is trying to log usernames and passwords.

 

[tburke]

If connecting to a wifi network that I don't control, I turn on a full-tunnel VPN... WireGuard on udp/443 for my personal stuff (have OpenVPN on tcp/443 as a backup), or my corporate SSL VPN for work devices.

 

[LDM]

Definitely use a VPN with full-tunneling on it, if you can. As someone who works for a hospital group in IT, I know we don't do much at all when it comes to securing the guest wifi. Anyone can see what you are doing on it, from other users to the IT department. Also my group blocks VPN use on the guest wifi, so you can't even use one at all, which is why I added the if you can to my first sentence.

If that is the case, use a hotspot either on your phone or one of the standalone ones. Then you will have full control of what you are using.

 

[rijndael]

This is a scenario where I'll use my work VPN (which is full-tunnel, not split-tunnel) so that all traffic going to/from my device is encrypted and I know where my DNS queries are going. This is the same approach I use in hotels.

Same, except I have the VPN to my home Cisco ASA.

 

[OVERKILL]

Same, except I have the VPN to my home Cisco ASA.

That'd be 5x firewalls ago for me, lol. I had a couple of ASA's, then moved to Juniper, then Meraki (which also supports AnyConnect) but recently I've been using a Ubiquiti UDM, which also has an SSL VPN, but I haven't bothered using it yet since I have AnyConnect setup on our firewalls at work and AnyConnect of course just "works".

 

[OVERKILL]

Definitely use a VPN with full-tunneling on it, if you can. As someone who works for a hospital group in IT, I know we don't do much at all when it comes to securing the guest wifi. Anyone can see what you are doing on it, from other users to the IT department. Also my group blocks VPN use on the guest wifi, so you can't even use one at all, which is why I added the if you can to my first sentence.

If that is the case, use a hotspot either on your phone or one of the standalone ones. Then you will have full control of what you are using.

Yeah, that's been my experience with several guest WiFi services (healthcare included, I also work in Health Care, though on the services side of things), they tend to block L2TP and IPSEC. More recently, rules have been incorporated to allow broad blocking of consumer VPN's (even over SSL, since it's the target addresses that are blocked) and DoH.

This is why having a home or work SSL VPN is useful, because it won't get blocked, since something like AnyConnect is indistinguishable from other HTTPS traffic. So unless you are using permit-only rules, which would be a disaster to maintain when compared to dynamic block lists, this is pretty much guaranteed to work.